EVID : 1024 Epo Infected File Deleted
Vendor Documentation
Classification
Rule Name | Rule Type | Classification | Common Event |
|---|---|---|---|
Evid : 1024 Epo Infected File Deleted | Base Rule | Failed Malware | Failed Malware Activity |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| N/A | N/A | N/A | N/A |
| MachineName | N/A | N/A | Name of the system hosting the detecting product. |
| AgentGUID | N/A | N/A | Unique identifier of the agent that forwarded the event. |
| IPAddress | <dip> | IP Address | IP address of the system hosting the detecting product (if given in the event). |
| OSName | N/A | N/A | N/A |
| UserName | N/A | N/A | N/A |
| TimeZoneBias | N/A | N/A | N/A |
| RawMACAddress | <dmac> | Text/String | MAC address of the system hosting the detecting product. |
| ProductName | <vendorinfo> | Text/String | Name of the detecting managed product. |
| ProductVersion | <version> | Text/String/Number | Version number of the detecting product. |
| ProductFamily | N/A | N/A | N/A |
| Analyzer | N/A | N/A | N/A |
| AnalyzerName | N/A | N/A | Name of the detecting managed product. |
| AnalyzerVersion | N/A | N/A | Version number of the detecting product. |
| AnalyzerHostName | N/A | N/A | Name of the system hosting the detecting product. |
| AnalyzerEngineVersion | N/A | N/A | Version number of the detecting product’s engine (if given in the event). |
| AnalyzerDetectionMethod | N/A | N/A | The name of the task or task type that was responsible for detecting the threat. |
| AnalyzerDATVersion | N/A | N/A | DAT version on the system that sent the event. |
| EventID | <vmid> | Number | Unique identifier of the event class. |
| Severity | N/A | N/A | N/A |
| GMTTime | N/A | N/A | N/A |
| ThreatCategory | <subject> | Text/String | Category of the event. Possible categories depend on the product. |
| ThreatEventID | N/A | N/A | Unique identifier of the event class. |
| ThreatSeverity | <severity> | Number | The severity of the detected threat as defined by each managed product. |
| ThreatName | <threatname> | Text/String | Name of the threat. |
| ThreatType | N/A | N/A | Class of the threat. |
| DetectedUTC | N/A | N/A | N/A |
| ThreatActionTaken | <action> | Text/String | The action taken by the product in response to the threat. |
| ThreatHandled | <result> | Text/String | Specifies whether the action taken was successful. |
| SourceHostName | <sname> | Text/String | System name from which the threat originated (if given in the event). |
| SourceProcessName | <process> | Text/String | The process name from which the threat originated. |
| TargetHostName | <dname> | Text/String | Name of the system that created the event. |
| TargetUserName | <domainimpacted> <account> | Text/String | The threat source user name or email address. |
| Target FileName | <object> | Text/String | Location of the threat on the detecting system. |
| target | N/A | N/A | N/A |
| BladeName | N/A | N/A | N/A |
| AnalyzerContentCreationDate | N/A | N/A | N/A |
| AnalyzerGTIQuery | N/A | N/A | N/A |
| ThreatDetectedOnCreation | N/A | N/A | N/A |
| TargetName | <objectname> | Text/String | N/A |
| TargetPath | N/A | N/A | N/A |
| TargetHash | <hash> | Text/String | N/A |
| TargetFileSize | <size> | Number | N/A |
| TargetModifyTime | N/A | N/A | N/A |
| TargetAccessTime | N/A | N/A | N/A |
| TargetCreateTime | N/A | N/A | N/A |
| Cleanable | N/A | N/A | N/A |
| TaskName | N/A | N/A | N/A |
| FirstAttemptedAction | N/A | N/A | N/A |
| FirstActionStatus | <status> | Text/String | N/A |
| SecondAttemptedAction | N/A | N/A | N/A |
| AttackVectorType | N/A | N/A | N/A |
| DurationBeforeDetection | N/A | N/A | N/A |
| NaturalLangDescription | N/A | N/A | N/A |
| DetectionMessage | N/A | N/A | N/A |
| AMCoreContentVersion | N/A | N/A | N/A |